Contents. Introduction. Prerequisites. Requirements. Components Used

Transcription

1 Contents Introduction Prerequisites Requirements Components Used Topology and flow Configure ASA Step1. Basic SSL VPN configuration Step2. CSD installation Step3. DAP policies ISE Verify CSD and AnyConnect provisioning AnyConnect VPN session with posture - non compliant AnyConnect VPN session with posture - compliant Troubleshoot AnyConnect DART References Related Cisco Support Community Discussions Introduction This configuration example presents how to perform the posture for the remote VPN sessions terminated on ASA. The posture will be performed locally by ASA using Cisco Secure Desktop with HostScan module. After VPN session is established compliant station will be allowed full network access, non compliant limited one. Also CSD and AnyConnect 4.0 provisioning flows are presented. Prerequisites Requirements Cisco recommends that you have knowledge of these topics: Cisco ASA VPN configuration Cisco AnyConnect Secure Mobility Client Components Used The information in this document is based on these software and hardware versions: Microsoft Windows 7

2 Cisco Adaptive Security Appliance, Version 9.3 or later Cisco Identity Services Engine (ISE) Software, Versions 1.3 and Later Cisco AnyConnect Secure Mobility Client, Vesion 4.0 and Later Cisco Secure Desktop, Version 3.6 or Later Topology and flow Corporate policy is the following: Remote VPN users which are having file c:\test.txt (compliant) should have full network access to inside company resources Remote VPN users which are not having file c:\test.txt (non compliant) should have limited network access to inside company resources: only access to remediation server should be provided. File existence is the simplest example. Any other condition (antivirus, antispyware, process, application, registry) could be used. The flow is the following: Remote users does not have AnyConnect installed. They access ASA web page for CSD and AnyConnect provisioning (along with the VPN profile) Once connecting via AnyConnect non compliant user will be allowed with limited network access. Dynamic Access Policy (DAP) called FileNotExists will be matched. User performs remediation (manually install file c:\test.txt) and connects again using

3 AnyConnect. This time full network access is provided (DAP policy called FileExists will be matched). HostScan module can be installed manually on the endpoint. Example files (hostscan-win pre-deploy-k9.msi) are shared on CCO. But it could be also pushed from ASA. HostScan is a part of CSD which could be provisioned from ASA. That second approach is used in this example. For older versions of AnyConnect (3.1 and before) there was a separate package available on CCO (example: hostscan_ k9.pkg) which could have been configured and provisioned on ASA separately (using "csd hostscan image" command) - but that option is not existing anymore for AnyConnect version 4.0. Configure ASA Step1. Basic SSL VPN configuration ASA is preconfigured with basic remote VPN access (SSL). AnyConnect package has been downloaded and used. Step2. CSD installation Subsequent configuration is performed using ASDM. CSD package needs to be downloaded to flash and referenced from configuration: Without enabling Secure Desktop it would not be possible to use CSD attributes in DAP policies:

4 After enabling CSD multiple options under Secure Desktop Manager appears. Please be informed that some of them are already deprecated. More information regarding deprecated features can be found: Feature Deprecation Notice for Secure Desktop (Vault), Cache Cleaner, Keystroke Logger Detection, and Host Emulation Detection HostScan is still fully supported, new Basic HostScan rule is being added. Existence of c:\test.txt will be verified. Also additional Advanced Endpoint Assessment rule is being added:

5 That one is checking for the existence of Symantec Norton AntiVirus 20.x and Microsoft Windows Firewall 7. Posture module (HostScan) will check those values but there will be no enforcement (DAP policy will not verify that). Step3. DAP policies DAP policies are responsible for using data gathered by HostScan as conditions and apply specific attributes to the VPN session as a result. To create DAP policy from ASDM: Remote Access VPN -> Clientless SSL VPN Access -> Dynamic Access Policies: First policy (FileExists) will check tunnel-group name which is used by configured VPN profile (VPN profile configuration has been omitted for clarity). Then additional check for the file c:\test.txt is being performed:

6 As a result no actions are being performed with the default setting to permit connectivity. No ACL is being used - full network access will be provided. Details for the file check: Second policy (FileNonExists) is similar - but this time condition is "if file is not existing".

7 The result has access-list ACL1 configured. That will be applied for non compliant VPN users providing limited network access. Both DAP policies are pushing for AnyConnect access: ISE Identity Services Engine is used for user authentication. Only network device (ASA) and correct username (cisco) should be configured. That part is not covered in this article. Verify CSD and AnyConnect provisioning On the beginning user is not provisioned with AnyConnect client. User is also not compliant with the policy (the file c:\test.txt does not exist). Entering and is immediately redirected for Cisco Secure Desktop installation:

8 That can be done using Java or ActiveX. Once CSD is being installed that is being reported: Then user is being redirected for authentication: If successful AnyConnect along with configured profile is being deployed - again ActiveX or Java can be used:

9 And the VPN connection is being established: The first step for AnyConnect is to perform posture checks (HostScan) and send the reports to ASA: Then AnyConnect authenticates and finishes VPN session: AnyConnect VPN session with posture - non compliant When establishing a new VPN session using AnyConnect the first step would be the posture (HostScan) as presented on the screenshot above. Then authentication occurs and the VPN session is established:

10 ASA would report that HostScan report is being received: %ASA : Received 4 KB Hostscan data from IP < > Then performs user authentication: %ASA : AAA user authentication Successful : server = : user = cisco And starts authorization for that VPN session. When having "debug dap trace 255" enabled the information regarding the existence of "c:\test.txt" file is being returned: DAP_TRACE[128]: dap_install_endpoint_data_to_lua:endpoint.file["1"].exists="false" DAP_TRACE: endpoint.file["1"].exists = "false" DAP_TRACE[128]: dap_install_endpoint_data_to_lua:endpoint.file["1"].path="c:\test.txt" DAP_TRACE: endpoint.file["1"].path = "c:\\test.txt" Also information regarding Microsoft Windows Firewall: DAP_TRACE[128]: dap_install_endpoint_data_to_lua:endpoint.fw["mswindowsfw"].exists="false" DAP_TRACE: endpoint.fw["mswindowsfw"].exists = "false" DAP_TRACE[128]: dap_install_endpoint_data_to_lua:endpoint.fw["mswindowsfw"].description="microsoft Windows Firewall" DAP_TRACE: endpoint.fw["mswindowsfw"].description = "Microsoft Windows Firewall" DAP_TRACE[128]: dap_install_endpoint_data_to_lua:endpoint.fw["mswindowsfw"].version="7" DAP_TRACE: endpoint.fw["mswindowsfw"].version = "7" DAP_TRACE[128]: dap_install_endpoint_data_to_lua:endpoint.fw["mswindowsfw"].enabled="failed" DAP_TRACE: endpoint.fw["mswindowsfw"].enabled = "failed" And Symantec AntiVirus (as per HostScan Advanced Endpoint Assessment rules configured before). As a result the DAP policy is being matched: DAP_TRACE: Username: cisco, Selected DAPs:,FileNotExists That policy is forcing to use AnyConnect and also applies access-list ACL1 which provides restricted network access for the user (not compliant with the corporate policy). DAP_TRACE:The DAP policy contains the following attributes for user: cisco DAP_TRACE: DAP_TRACE:1: tunnel-protocol = svc DAP_TRACE:2: svc ask = ask: no, dflt: svc DAP_TRACE:3: action = continue DAP_TRACE:4: network-acl = ACL1 Logs presents also ACIDEX extensions which could be used by DAP policy (or even passed in Radius-Requests to ISE and being used in Authorization Rules as conditions): endpoint.anyconnect.clientversion = " "; endpoint.anyconnect.platform = "win"; endpoint.anyconnect.devicetype = "innotek GmbH VirtualBox"; endpoint.anyconnect.platformversion = " "; endpoint.anyconnect.deviceuniqueid = "A1EDD2F14F EB42C281C98DD892F7D34239AECDBB3FEA69D6567B2591"; endpoint.anyconnect.macaddress["0"] = " f-5f-64"; endpoint.anyconnect.useragent = "AnyConnect Windows "; As a result VPN session is up but with the restricted network access: ASAv2# show vpn-sessiondb detail anyconnect Session Type: AnyConnect Detailed Username : cisco Index : 4

11 Assigned IP : Public IP : Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)RC4 DTLS-Tunnel: (1)AES128 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1 Bytes Tx : Bytes Rx : Pkts Tx : 8 Pkts Rx : 146 Group Policy : AllProtocols Tunnel Group : TAC Login Time : 11:58:54 UTC Fri Dec Duration : 0h:07m:54s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : 0add d4d7e Security Grp : none AnyConnect-Parent Tunnels: 1 SSL-Tunnel Tunnels: 1 DTLS-Tunnel Tunnels: 1 AnyConnect-Parent: Tunnel ID : 4.1 Public IP : Encryption : none Hashing : none TCP Src Port : TCP Dst Port : 443 Auth Mode : userpassword Idle TO Left : 22 Minutes Client OS : win Client OS Ver: Client Type : AnyConnect Bytes Tx : 5716 Bytes Rx : 764 Pkts Tx : 4 Pkts Rx : 1 SSL-Tunnel: Tunnel ID : 4.2 Assigned IP : Public IP : Encryption : RC4 Hashing : SHA1 Encapsulation: TLSv1.0 TCP Src Port : TCP Dst Port : 443 Auth Mode : userpassword Idle TO Left : 22 Minutes Client OS : Windows Client Type : SSL VPN Client Bytes Tx : 5716 Bytes Rx : 2760 Pkts Tx : 4 Pkts Rx : 12 Filter Name : ACL1 DTLS-Tunnel: Tunnel ID : 4.3 Assigned IP : Public IP : Encryption : AES128 Hashing : SHA1 Encapsulation: DTLSv1.0 UDP Src Port : UDP Dst Port : 443 Auth Mode : userpassword Idle TO Left : 24 Minutes Client OS : Windows Client Type : DTLS VPN Client Bytes Tx : 0 Bytes Rx : Pkts Tx : 0 Pkts Rx : 133 Filter Name : ACL1

12 ASAv2# show access-list ACL1 access-list ACL1; 1 elements; name hash: 0xe535f5fe access-list ACL1 line 1 extended permit ip any host (hitcnt=0) 0xe6492cbf AnyConnect history shows detailed steps for the posture process: 12:57:47 Contacting :58:01 Posture Assessment: Required for access 12:58:01 Posture Assessment: Checking for updates... 12:58:02 Posture Assessment: Updating... 12:58:03 Posture Assessment: Initiating... 12:58:13 Posture Assessment: Active 12:58:13 Posture Assessment: Initiating... 12:58:37 User credentials entered. 12:58:43 Establishing VPN session... 12:58:43 The AnyConnect Downloader is performing update checks... 12:58:43 Checking for profile updates... 12:58:43 Checking for product updates... 12:58:43 Checking for customization updates... 12:58:43 Performing any required updates... 12:58:43 The AnyConnect Downloader updates have been completed. 12:58:43 Establishing VPN session... 12:58:43 Establishing VPN - Initiating connection... 12:58:48 Establishing VPN - Examining system... 12:58:48 Establishing VPN - Activating VPN adapter... 12:58:52 Establishing VPN - Configuring system... 12:58:52 Establishing VPN... 12:58:52 Connected to AnyConnect VPN session with posture - compliant After creating c:\test.txt file the flow will be similar. Once new AnyConnect session is initiated the logs would indicate the existence of the file: %ASA : DAP: User cisco, Addr : Session Attribute endpoint.file["1"].exists="true" %ASA : DAP: User cisco, Addr : Session Attribute endpoint.file["1"].path="c:\test.txt" And as a result another DAP policy is being used: DAP_TRACE: Username: cisco, Selected DAPs:,FileExists The policy does not impose any ACL as the restriction for the network traffic. And the session is UP without any ACL (full network access): ASAv2# show vpn-sessiondb detail anyconnect Session Type: AnyConnect Detailed Username : cisco Index : 5 Assigned IP : Public IP : Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)RC4 DTLS-Tunnel: (1)AES128 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1 Bytes Tx : Bytes Rx : 6298 Pkts Tx : 8 Pkts Rx : 38 Group Policy : AllProtocols Tunnel Group : TAC Login Time : 12:10:28 UTC Fri Dec

13 Duration : 0h:00m:17s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : 0add d5034 Security Grp : none AnyConnect-Parent Tunnels: 1 SSL-Tunnel Tunnels: 1 DTLS-Tunnel Tunnels: 1 AnyConnect-Parent: Tunnel ID : 5.1 Public IP : Encryption : none Hashing : none TCP Src Port : TCP Dst Port : 443 Auth Mode : userpassword Idle TO Left : 29 Minutes Client OS : win Client OS Ver: Client Type : AnyConnect Bytes Tx : 5716 Bytes Rx : 764 Pkts Tx : 4 Pkts Rx : 1 SSL-Tunnel: Tunnel ID : 5.2 Assigned IP : Public IP : Encryption : RC4 Hashing : SHA1 Encapsulation: TLSv1.0 TCP Src Port : TCP Dst Port : 443 Auth Mode : userpassword Idle TO Left : 29 Minutes Client OS : Windows Client Type : SSL VPN Client Bytes Tx : 5716 Bytes Rx : 1345 Pkts Tx : 4 Pkts Rx : 6 DTLS-Tunnel: Tunnel ID : 5.3 Assigned IP : Public IP : Encryption : AES128 Hashing : SHA1 Encapsulation: DTLSv1.0 UDP Src Port : UDP Dst Port : 443 Auth Mode : userpassword Idle TO Left : 30 Minutes Client OS : Windows Client Type : DTLS VPN Client Bytes Tx : 0 Bytes Rx : 4189 Pkts Tx : 0 Pkts Rx : 31 Also Anyconnect is reporting that HostScan is idle and waiting for the next scan request: ASAv2# show vpn-sessiondb detail anyconnect Session Type: AnyConnect Detailed Username : cisco Index : 5 Assigned IP : Public IP : Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)RC4 DTLS-Tunnel: (1)AES128

14 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1 Bytes Tx : Bytes Rx : 6298 Pkts Tx : 8 Pkts Rx : 38 Group Policy : AllProtocols Tunnel Group : TAC Login Time : 12:10:28 UTC Fri Dec Duration : 0h:00m:17s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : 0add d5034 Security Grp : none AnyConnect-Parent Tunnels: 1 SSL-Tunnel Tunnels: 1 DTLS-Tunnel Tunnels: 1 AnyConnect-Parent: Tunnel ID : 5.1 Public IP : Encryption : none Hashing : none TCP Src Port : TCP Dst Port : 443 Auth Mode : userpassword Idle TO Left : 29 Minutes Client OS : win Client OS Ver: Client Type : AnyConnect Bytes Tx : 5716 Bytes Rx : 764 Pkts Tx : 4 Pkts Rx : 1 SSL-Tunnel: Tunnel ID : 5.2 Assigned IP : Public IP : Encryption : RC4 Hashing : SHA1 Encapsulation: TLSv1.0 TCP Src Port : TCP Dst Port : 443 Auth Mode : userpassword Idle TO Left : 29 Minutes Client OS : Windows Client Type : SSL VPN Client Bytes Tx : 5716 Bytes Rx : 1345 Pkts Tx : 4 Pkts Rx : 6 DTLS-Tunnel: Tunnel ID : 5.3 Assigned IP : Public IP : Encryption : AES128 Hashing : SHA1 Encapsulation: DTLSv1.0 UDP Src Port : UDP Dst Port : 443 Auth Mode : userpassword Idle TO Left : 30 Minutes Client OS : Windows Client Type : DTLS VPN Client Bytes Tx : 0 Bytes Rx : 4189 Pkts Tx : 0 Pkts Rx : 31 For reassessment it's advised to use posture module integrated with ISE: Troubleshoot

15 AnyConnect DART AnyConnect provides Diagnostics: Which is gathering and saving all the AnyConnect logs to a zip file on the desktop. That zip file includes the logs in Cisco AnyConnect Secure Mobility Client/Anyconnect.txt. That will provide the information about ASA is requesting HostScan to gather data&colon; Date : 12/26/2014 Time : 12:58:01 Type : Information Source : acvpnui Description : Function: ConnectMgr::processResponseString File:.\ConnectMgr.cpp Line: Invoked Function: ConnectMgr::processResponseString Return Code: 0 (0x ) Description: HostScan request detected. Then multiple other logs reveal that CSD is installed. This is the example for a CSD provisioning and subsequent AnyConnect connection along with posture: CSD detected, launching CSD Posture Assessment: Required for access

16 Gathering CSD version information. Posture Assessment: Checking for updates... CSD version file located Downloading and launching CSD Posture Assessment: Updating... Downloading CSD update CSD Stub located Posture Assessment: Initiating... Launching CSD Initializing CSD Performing CSD prelogin verification. CSD prelogin verification finished with return code 0 Starting CSD system scan. CSD successfully launched Posture Assessment: Active CSD launched, continuing until token is validated. Posture Assessment: Initiating... Checking CSD token for validity Waiting for CSD token validity result CSD token validity check completed CSD Token is now valid CSD Token validated successfully Authentication succeeded Establishing VPN session... Communication between ASA and AnyConnect is optimized, ASA requests to perform only specific checks - AnyConnect downloads additional data to be able to perform that (for example specific AntiVirus verification). When opening the case with TAC please attach Dart logs along with "show tech" and "debug dap trace 255" from ASA. References Configuring Host Scan and the Posture Module - Cisco AnyConnect Secure Mobility Client Administrator Guide Configuring Host Scan - Cisco Secure Desktop Configuration Guide Posture services on Cisco ISE Configuration Guide Cisco ISE 1.3 Administrators Guide Technical Support & Documentation - Cisco Systems